name: Sign and Upload Mac Installer

on:
  release:
    types: [created, published]
  workflow_dispatch:
    inputs:
      version:
        description: 'Release version to build and upload (e.g. "v9.8.7")'
        required: true
      dryrun:
        description: 'Perform all the steps except uploading to the release page'
        required: true
        default: "true"  # 'choice' type requires string value
        type: choice
        options:
          - "true"  # Must be quoted string, boolean value not supported.
          - "false"

permissions:
  contents: write

jobs:
  build:
    runs-on: macos-latest
    env:
      APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
      CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
      INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
      PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
      CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}

      NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
      NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
      NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}

      KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
    steps:
    - name: Consolidate dryrun setting to always be true or false
      id: actual_dryrun
      run: |
        # The 'release' trigger will not have a 'dryrun' input set. Handle
        # this case in a readable/maintainable way.
        if [[ -z "${{ inputs.dryrun }}" ]]
        then
          echo "dryrun=false" >> $GITHUB_OUTPUT
        else
          echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT
        fi
    - name: Dry Run Status
      run: |
        echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
    - name: Determine Version
      id: getversion
      run: |
        if [[ -z "${{ inputs.version }}" ]]
        then
              VERSION=${{ github.event.release.tag_name }}
        else
              VERSION=${{ inputs.version }}
        fi
        echo
        echo "version=$VERSION" >> $GITHUB_OUTPUT
    - name: Check uploads
      id: check
      run: |
        URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}"
        ARM_FILE="podman-installer-macos-arm64.pkg"
        AMD_FILE="podman-installer-macos-amd64.pkg"
        UNIVERSAL_FILE="podman-installer-macos-universal.pkg"

        status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}")
        if [[ "$status" == "404" ]] ; then
          echo "buildarm=true" >> $GITHUB_OUTPUT
        else
          echo "::warning::ARM installer already exists, skipping"
          echo "buildarm=false" >> $GITHUB_OUTPUT
        fi

        status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${AMD_FILE}")
        if [[ "$status" == "404" ]] ; then
          echo "buildamd=true" >> $GITHUB_OUTPUT
        else
          echo "::warning::AMD installer already exists, skipping"
          echo "buildamd=false" >> $GITHUB_OUTPUT
        fi

        status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${UNIVERSAL_FILE}")
        if [[ "$status" == "404" ]] ; then
          echo "builduniversal=true" >> $GITHUB_OUTPUT
        else
          echo "::warning::Universal installer already exists, skipping"
          echo "builduniversal=false" >> $GITHUB_OUTPUT
        fi
    - name: Checkout Version
      if: >-
        steps.check.outputs.buildamd == 'true' ||
        steps.check.outputs.buildarm == 'true' ||
        steps.check.outputs.builduniversal == 'true' ||
        steps.actual_dryrun.outputs.dryrun == 'true'
      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
      with:
        ref: ${{steps.getversion.outputs.version}}
    - name: Set up Go
      # Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
      if: >-
        steps.check.outputs.buildamd == 'true' ||
        steps.check.outputs.buildarm == 'true' ||
        steps.check.outputs.builduniversal == 'true' ||
        steps.actual_dryrun.outputs.dryrun == 'true'
      uses: actions/setup-go@v5
      with:
        go-version: stable
    - name: Create Keychain
      if: >-
        steps.check.outputs.buildamd == 'true' ||
        steps.check.outputs.buildarm == 'true' ||
        steps.check.outputs.builduniversal == 'true' ||
        steps.actual_dryrun.outputs.dryrun == 'true'
      run: |
        echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
        echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12

        security create-keychain -p "$KEYCHAIN_PWD" build.keychain
        security default-keychain -s build.keychain
        security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
        security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
        security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null

        xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
    - name: Build and Sign ARM
      if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
      working-directory: contrib/pkginstaller
      run: |
        make ARCH=aarch64 notarize &> /dev/null
        cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums
    - name: Build and Sign AMD
      if: steps.check.outputs.buildamd == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
      working-directory: contrib/pkginstaller
      run: |
        make ARCH=amd64 notarize &> /dev/null
        cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums
    - name: Build and Sign Universal
      if: steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
      working-directory: contrib/pkginstaller
      run: |
        make ARCH=universal notarize &> /dev/null
        cd out && shasum -a 256 podman-installer-macos-universal.pkg >> shasums
    - name: Artifact
      if: >-
        steps.check.outputs.buildamd == 'true' ||
        steps.check.outputs.buildarm == 'true' ||
        steps.check.outputs.builduniversal == 'true' ||
        steps.actual_dryrun.outputs.dryrun == 'true'
      uses: actions/upload-artifact@v4
      with:
        name: installers
        path: |
          contrib/pkginstaller/out/podman-installer-macos-*.pkg
          contrib/pkginstaller/out/shasums
    - name: Upload to Release
      if: >-
        steps.actual_dryrun.outputs.dryrun == 'false' &&
        (steps.check.outputs.buildamd == 'true' ||
         steps.check.outputs.buildarm == 'true'||
         steps.check.outputs.builduniversal == 'true' )
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0)
        cat contrib/pkginstaller/out/shasums >> shasums
        gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg
        gh release upload ${{steps.getversion.outputs.version}} --clobber shasums
